Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.

Affected Packages

Maven org.springframework:spring

Affected versions: 6.0.0 (fixed in 6.0.7)

Maven org.springframework:spring

Affected versions: 5.3.0 (fixed in 5.3.26)

Related CVEs

CVE-2023-20860

Key Information

GHSA ID

GHSA-7phw-cxx7-q9vq

Published

March 28, 2023 12:34 AM

Last Modified

March 14, 2024 8:52 PM

CVSS Score

9.0 /10

Primary Ecosystem

Maven

Primary Package

org.springframework:spring

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 29, 2025 6:37 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.